Re: Sanitizing SQL string
Re: Sanitizing SQL string
- Subject: Re: Sanitizing SQL string
- From: Chuck Hill <email@hidden>
- Date: Thu, 24 Jan 2008 08:26:45 -0800
On Jan 24, 2008, at 8:16 AM, Miguel Arroz wrote:
Hi!
Didn't know that method, seems to be perfect for what I'm doing.
But just to kill my curiosity... how would I do it manually? I
was doing this:
ERXEOAccessUtilities.evaluateSQLWithEntityNamed( newContext,
Contact.ENTITY_NAME,
"UPDATE contact SET optedOut = true WHERE email = '" +
User.normalizeEmail(email) + "'" );
normalizeEmail removes spaces, among other things, so that "drop
table user" becomes "droptableuser" and doesn't work. But of
course, it's a secondary effect, the correct way would be to escape
the result of normalizeEmail.
EOSQLExpression.formatStringValue(String string)
Formats string for use as a string constant in a SQL statement.
EOSQLExpression's implementation encloses the string in single
quotes, escaping any single quotes already present in string.
Chuck
On 2008/01/24, at 16:10, Chuck Hill wrote:
Can you be more specific on the SQL that you need to generate.
EOF can do much of it for you and Wonder has several options for
such batch operations, for example
ERXEOAccessUtilities.updateRowsDescribedByQualifier
(EOEditingContext ec, String entityName, final EOQualifier
qualifier, final NSDictionary newValues). If you can use
something like that, you can let EOF worry about the strings.
Chuck
On Jan 24, 2008, at 8:03 AM, Miguel Arroz wrote:
Hi!
I need to do an SQL query to do a batch operation on the DB
(yes yes, I know, but trust me, I know what I'm doing).
Usually I only have to deal with PKs and integers and so, but
on this specific query I have to handle a text string match (ie,
UPDATE blabla WHERE something = 'myText' ). How do I propertly
sanitize the string (and escape it and whatever) before sending
it to the SQL query? I'm trying to avoid this: <http://
farm3.static.flickr.com/2160/1619915433_fdca91a23e.jpg>.
Yours
Miguel Arroz
Miguel Arroz
http://www.terminalapp.net
http://www.ipragma.com
--
Practical WebObjects - for developers who want to increase their
overall knowledge of WebObjects or who are trying to solve
specific problems.
http://www.global-village.net/products/practical_webobjects
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40guiamac.com
This email sent to email@hidden
Miguel Arroz
http://www.terminalapp.net
http://www.ipragma.com
--
Practical WebObjects - for developers who want to increase their
overall knowledge of WebObjects or who are trying to solve specific
problems.
http://www.global-village.net/products/practical_webobjects
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden